OTPulse
FeedAboutContact

FATEK Automation WinProladder

Monitor7.8ICS-CERT ICSA-21-098-01Apr 8, 2021
Attack VectorLocal
Auth RequiredNone
ComplexityLow
User InteractionRequired
Summary

FATEK WinProladder versions 3.30 and earlier contain a buffer overflow or memory corruption vulnerability (CWE-191) that allows arbitrary code execution if a user opens a specially crafted project file. The vulnerability is triggered during file parsing and requires no special privileges. FATEK is developing a fix. The vulnerability is not remotely exploitable; an attacker must trick a user into opening a malicious project file, typically via email or social engineering. Successful exploitation allows the attacker to run code with the privileges of the engineering workstation user, potentially compromising PLC configuration and control logic.

What this means
What could happen
An attacker with local access to a system running WinProladder could execute arbitrary code with the privileges of the user, potentially compromising PLC automation logic and control sequences.
Who's at risk
FATEK WinProladder is used by operators and engineers at water utilities, electric utilities, and manufacturing plants to program and manage FATEK PLC controllers. Version 3.30 and earlier are affected. This impacts anyone who uses FATEK automation systems to control pumping stations, tank levels, electrical distribution, or industrial processes.
How it could be exploited
An attacker must trick a user into opening a malicious project file (.pro or similar) in WinProladder. When the file is opened, a buffer overflow or memory corruption flaw is triggered, allowing code execution on the engineering workstation. This compromised workstation could then be used to modify PLC logic or download malicious code to connected controllers.
Prerequisites
  • Local access to the engineering workstation running WinProladder
  • User must open a malicious project file
  • Attacker must craft project file with buffer overflow payload
  • No special privileges or authentication needed on the engineering station
no patch availablelow complexity (user must open file, no special network or authentication required)affects engineering workstations which have access to live PLC systemssocial engineering / phishing attack vector
Exploitability
Low exploit probability (EPSS 0.3%)
Affected products (1)
ProductAffected VersionsFix Status
WinProladder:≤ 3.30No fix (EOL)
Remediation & Mitigation
0/4
Do now
0/2
WORKAROUNDOnly open FATEK project files from trusted internal sources; do not open project files received via email or from untrusted URLs
HARDENINGRun WinProladder and all engineering workstations under least-privilege user accounts (non-administrator) to limit what malicious code can do if executed
Schedule — requires maintenance window
0/1

Patching may require device reboot — plan for process interruption

HOTFIXUpgrade to a patched version of WinProladder when FATEK releases a fix
Mitigations - no patch available
0/1
WinProladder: has reached End of Life. The vendor will not release a patch. Apply the following compensating controls:
HARDENINGIsolate WinProladder engineering workstations from general email and web browsing; use a dedicated air-gapped or restricted-access station for PLC programming
View full CISA ICS-CERT advisory
↑↓ Navigate · Esc Close
API: /api/v1/advisories/f2ad1629-4068-4cf1-9f6b-48f4363b05f0
FATEK Automation WinProladder | CVSS 7.8 - OTPulse